This exploit leverages the PlaySMS 1.4 admin log functionality to achieve remote code execution by injecting malicious PHP code into the User-Agent header, which is then rendered in the admin's 'Whose Online' panel.
Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target:PlaySMS 1.4
Auth required
Prerequisites:Valid user credentials to log in · Admin must view the 'Whose Online' panel